1. Field of the Invention
The present invention generally relates to the field of mobile broadband systems, and more particularly relates to securing control and data packets in a mobile broadband network environment.
2. Description of the Related Art
Recently, several broadband wireless technologies have been developed to meet growing number of broadband subscribers and to provide more and better applications and services. For example, 3rd Generation Partnership Project 2 (3GPP2) developed Code Division Multiple Access 2000 (CDMA 2000), 1×Evolution Data Optimized (1×EVDO) and Ultra Mobile Broadband (UMB) systems. The 3rd Generation Partnership Project (3GPP) developed Wideband Code Division Multiple Access (WCDMA), High Speed Packet Access (HSPA) and Long Term Evolution (LTE) systems. The Institute of Electrical and Electronics Engineers developed Mobile Worldwide Interoperability for Microwave Access (WiMAX) systems. As more and more people become users of mobile communication systems and more and more services are provided over these systems, there is an increasing need for mobile communication system with large capacity, high throughput, lower latency and better reliability.
Millimeter-Wave Mobile Broadband (MMB) system based on millimeter waves i.e., radio waves with wavelength in range of (millimeter (mm) to 10 mm, which corresponds to a radio frequency of 30 Gigahertz (GHz) to 300 GHz, is a candidate for next generation mobile communication technology as vast amount of spectrum is available in the mmWave band. Typically, an MMB system consists of multiple MMB base stations (BSs) that cover a geographic area. In order to ensure good coverage, MMB base stations need to be deployed with higher density than macro-cellular base stations. In general, roughly the same site-to-site distance as microcell or Pico-cell deployment in an urban environment is recommended. Transmission and/or reception in an MMB system are based on narrow beams which suppress interference from neighboring MMB base stations and extend range of an MMB link. This allows significant overlap of coverage among neighboring base stations.
Unlike cellular network systems that partition a geographic area into cells with each cell served by one or few base stations, the MMB base stations form a grid with a large number of nodes to which an MMB mobile station can communicate. The MMB base station grid eliminates the problem of poor link quality at the cell edge that is inherent in cellular network system and enables high-quality equal grade of service (EGOS) regardless of the location of a mobile station.
In order to utilize the fact that MS can detect signal from multiple MMB base stations in a MMB network, a cloud cell is formed around the MS. A cloud cell is a virtual cell consisting of multiple BSs that serve a single MS. The MMB BSs in a cloud cell communicating with the MS need to perform downlink (DL) Tx Beamforming, while the MS may need to perform DL Rx Beamforming to receive DL control and data. A MS communicating with a MMB BS in the cloud cell may need to perform uplink (UL) Tx Beamforming while the MMB BS may need to perform UL Rx Beamforming to transmit UL data.
In the traditional communication system wherein a MS communicates with single BS, BS receives Internet Protocol (IP) packets from a data gateway in DL direction, performs entire processing of IP packets, and transmits physical bursts carrying the processed IP packets to the MS. In UL direction, the BS receives physical bursts carrying IP packets from the MS, performs entire processing of the received physical burst and transmits the IP packets to the data gateway.
Typically, in order to secure the IP packets, the BS encrypts the IP packets received from the data gateway prior to transmitting to the MS. Similarly, the BS decrypts the IP packets received from the MS before transmitting to the data gateway. An authentication/authorization key (AK) is generated for an <MS, BS> pair. The AK is generated by key distribution function in the network and provided to a BS. MS also generates the AK. Independent security keys are then generated from the AK for control and data packets. <MS, BS> uses these generated security keys for control and data to apply security to control and data packets respectively. Authorization/Authentication key (AK) is updated when the MS performs handover from one BS to another.
The procedure and interaction between various entities to generate security keys is given below. At first, the MS registers with the BS and MS context (capability) is initialized with the authenticator. The MS is then authenticated with an AAA server using Extensible Authentication Procedure (EAP) procedures. As part of EAP procedure, Master Session Key (MSK) is established at the MS and an Authentication, Authorization and Accounting (AAA) server. The AAA server then transfers the MSK to the authenticator. Thereafter, the authenticator and the MS derive a Pair Wise Master Key (PMK) from the MSK. Then, the authenticator and the MS derive an authentication key specific to the BS from the PMK. The authenticator transfers the derived authentication to the BS. The BS and the MS derives security keys for data and control packets from the authentication key. In this procedure, the MSK is known to the MS, the authenticator and the AAA server. The MS receives the MSK from the AAA server during the EAP procedure. Also, the authenticator receives the MSK from the AAA server. The PMK is known to the MS and the authenticator. The PMK is derived by the MS and the authenticator from the MSK. The AK is known to the MS, the BS and the authenticator. The MS and the authenticator derive AK from the PMK. The BS receives the AK from the authenticator.
In another wireless communication system such as Long Term Evolution (LTE), where MS communicates with single BS, security processing for data packets is performed by MS and BS. However, control packets are divided in two categories, category 1 consists of control packets terminating at BS and category 2 consists of control packets terminating at Mobility Management Entity (MME). Security processing of control packets terminating at BS is done by MS and BS. Security processing of control packets terminating at MME is done by MS and MME.
In the mobile broadband system, where the multiple BSs are grouped together to serve a single MS and the MS communicates with multiple BSs in the cloud cell, several methods are proposed for security. In one method, each BS in a cloud cell is capable of applying security function on IP packets. Each BS applies security to IP packets received from the data gateway or the Master BS before transmitting to the MS. Each BS also applies security to the IP packets received from the MS before transmitting to the data gateway or the Master BS. However, this scheme requires either sharing of security keys to all BSs in the cloud cell or maintaining independent security keys for each BS. The sharing of security keys across the BSs in the cloud cell or maintaining independent security keys for each BS requires frequent update of the security keys due to addition or deletion of the BS(s) in the cloud cell. The BS(s) may be added and deleted frequently because of the small coverage area of each BS in the mobile broadband system.
In a mobile broadband system with gigabit throughput, in order to facilitate faster processing it is necessary that packets are already encrypted before resources for transmitting packets are allocated to MS by BS. The frequent key update may result in discarding of already encrypted packets at the MS. The MS also needs to maintain both encrypted and unencrypted packets in order to re-encrypt the packets after the security keys are updated. Independent security key for each BS may also require the MS to maintain multiple security keys which is not desirable to reduce the MS complexity.
In another scheme, only master BS may be allowed to apply security to packets received from the data gateway and the MS. This may also lead to frequent key update because of change of master BS. This also introduces an additional hop for the IP packets going through the BS other than master BS.